2023-09-13 by Chris Beckett (@cbecks_2)
Random file extensions from iManage
When Office documents are protected by iManage, upon opening them they create script files in %TEMP%
with a randomly generated file extension (such as .hta
, .sct
, .inf
, .cpl
, .wsf
, etc.). This happens because iManage implements the Path.GetRandomFileName
Method to handle this behavior. So while most instances result in files that look like x191krbu.idj
, sometimes they end up being written like x191krbu.hta
which likely will wreak havoc on a good defender's SIEM rules.